Microsoft Fixes 57 Security Flaws in December Update, Including Three Zero-Days Under Active Threat

Microsoft has released its final Patch Tuesday updates of the year, delivering fixes for 57 security vulnerabilities, including three zero-day flaws, one of which is currently being exploited in the wild.

Actively Exploited Windows Zero-Day

The most critical issue among this month’s patches is CVE-2025-62221, a use-after-free vulnerability found in the Windows Cloud Files Mini Filter Driver. With a CVSS score of 7.8, the flaw allows attackers to escalate privileges to SYSTEM level, giving them full control over targeted Windows machines.

Microsoft confirmed evidence of real-world attacks leveraging the bug but did not disclose details about the threat actors or scope of exploitation.

A second privilege escalation flaw in the same driver, CVE-2025-62454 (CVSS 7.8), has also been patched. While Microsoft says the vulnerability is not yet being used in active attacks, it warns that exploitation is likely.

Publicly Disclosed RCE Bugs in PowerShell and Copilot for JetBrains

The December updates also address two command injection vulnerabilities capable of enabling remote code execution:

• CVE-2025-64671 in Copilot for JetBrains
• CVE-2025-54100 in PowerShell

Both issues became public prior to patch availability, raising concerns about potential exploitation. Microsoft notes that attacks are not expected to be widespread, though proof-of-concept code exists for the JetBrains-related flaw.

Office Suite Receives 13 Fixes, Including Two Email-Based RCE Threats

Microsoft also pushed patches for 13 Office vulnerabilities, including two high-severity issues flagged as critical:

• CVE-2025-62554 (type confusion)
• CVE-2025-62557 (use-after-free)

Each carries a CVSS score of 8.4, and both could enable attackers to execute code remotely via malicious emails. Notably, the Outlook Preview Pane is an attack vector, meaning users could be compromised without opening or interacting with the message.

“In a worst-case scenario, a specially crafted email could trigger remote code execution without the user clicking or opening anything,” Microsoft warned.

Additional Products Receiving Patches

Other Microsoft services and applications covered in the December rollout include:

• Visual Studio
• Azure Monitor Agent
• Hyper-V
• Edge for iOS
• Application Information Service

The update closes out a year in which Microsoft fixed approximately 1,200 vulnerabilities, marking the second year in a row the company has patched more than a thousand security flaws.